Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Lab lab allows PHP Local File Inclusion.This issue affects Lab: from n/a through <= 1.0.0.
Published: 2025-06-09
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Lab theme contains a local file inclusion flaw caused by improper handling of the filename supplied to an include or require statement. An attacker who can influence the value read by the theme may read arbitrary files from the web server, potentially revealing configuration data, credentials, or other sensitive content. This weakness can be exploited during normal operation and is categorized as CWE‑98, leading to confidentiality exposure and possible privilege escalation.

Affected Systems

The vulnerability affects installations of the axiomthemes Lab WordPress theme versions up to and including 1.0.0. All sites running these builds are potentially exposed; newer releases are not impacted.

Risk and Exploitability

The CVSS score of 8.1 indicates a high severity, though the EPSS score of <1% suggests a low probability of widespread exploitation at present. The vulnerability is not listed in the CISA KEV catalog. The attack path likely involves manipulating a parameter that the theme passes directly to an include() call, which can be performed from the frontend or within the admin interface, depending on the theme’s configuration. Because it is local, a foothold is required on the host server or a user with elevated privileges to fully exploit the flaw.

Generated by OpenCVE AI on May 1, 2026 at 07:32 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest version of the Lab theme (greater than 1.0.0) which removes the vulnerable include logic.
  • If updating is not immediately possible, delete the Lab theme or disable it to prevent further execution of the vulnerable code.
  • Implement input validation or sanitization for any paths that the theme may use, and consider adding file existence checks before including.
  • Deploy a web application firewall or file inclusion protection rule to block attempts to trigger the flaw.

Generated by OpenCVE AI on May 1, 2026 at 07:32 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-17482 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Inset allows PHP Local File Inclusion. This issue affects Inset: from n/a through 1.18.0.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Inset allows PHP Local File Inclusion. This issue affects Inset: from n/a through 1.18.0. Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Lab lab allows PHP Local File Inclusion.This issue affects Lab: from n/a through <= 1.0.0.
Title WordPress Inset <= 1.18.0 - Local File Inclusion Vulnerability WordPress Lab Theme <= 1.0.0 - Local File Inclusion Vulnerability
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Fri, 11 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00151}

 epss

{'score': 0.00165}

Tue, 10 Jun 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 09 Jun 2025 16:15:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Inset allows PHP Local File Inclusion. This issue affects Inset: from n/a through 1.18.0.
Title WordPress Inset <= 1.18.0 - Local File Inclusion Vulnerability
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:39.462Z

Reserved: 2025-02-12T13:59:03.606Z

Link: CVE-2025-26592

cve-icon Vulnrichment

Updated: 2025-06-10T13:32:14.818Z

cve-icon NVD

Status : Deferred

Published: 2025-06-09T16:15:35.517

Modified: 2026-04-23T15:25:52.230

Link: CVE-2025-26592

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T07:45:06Z

Weaknesses
  • CWE-98

    Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')